W32/Amca-A is a worm for the Windows platform.
When installed W32/Amca-A attempts to share the local drives on the infected computers.
W32/Amca-A also spreads through removable storage devices, including floppy drives and USB keys. The worm attempts to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive with the hidden filename <Root>\activexdebugger32.exe.
W32/Amca-A also includes keylogger functionality that can be used for monitoring the user activity on the infected computers.
When first run W32/Amca-A copies itself to the Windows system folder and creates the following files:
<Temp>\nesneler.exe
<System>\activexdebugger32.exe
<System>\acd.cmd
<System>\acd2.cmd
<System>\Ijl11.dll
<System>\kmon.ocx
<System>\ktkbdhk3.dll
<System>\mswinsck.ocx
<System>\pac.exe
<System>\scrrntr.dll
The files activexdebugger32.exe, nesneler.exe and pac.exe are detected as W32/Amca-A.
The file kmox.ocx is detected as Troj/Frutitab-A.
The other files acd.cmd, acd2.cmd, scrrntr.dll, Ijl11.dll and ktkbdhk3.dll are clean and can safely be deleted.
The file mswinsck.ocx is a clean winsock control module used in Visual Basic applications.
The following registry entry is changed to run W32/Amca-A on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <original malware filename>